Yesterday on the DreamHost Status Blog, it was announced that all shell/FTP passwords would be reset due to what looks to be a security breach that was discovered on one of the DreamHost database servers.
DreamHost looks to have done a great job notifying affected customers via the update page, keeping them up-to-date throught out the day until the issue was resolved. It looks like all FTP passwords were indeed reset.
We recommend that all DreamHost customers log into to their accounts and check their account status. It is encouraged that you change your account passwords, and it wouldn’t hurt to change your FTP and database passwords again just to make sure.
If you read through the comments on the blog post listed above, you will see quite a few complaints about infected sites across DreamHost servers over the last few months. As of now, these infection issues do not look to be related to yesterdays security incident.
One user on the DreamHost Status Blog attributes the malware issues to the DreamHost one-click install wizard, we have not confirmed this:
Apparently, the breach occured in November via the
one-click install wizard offered by Dreamhost: One click and your whole
Wordpress / Drupal web site is installed, ready to use, automatically updated
by the wizard. Apparently, it’s the wizard itself that was compromised and
anybody who used it was affected.
We have cleaned quite a few of these websites, and most of them were infected through outdated software installed by the customer. The important note to take here is it’s crucially important to ensure you’re keeping your sites updated. Remember, security is everyone’s responsibility. If you’re running a website you have a responsibility to your readership, customers, and the online world in general.
Updated (January 21st, 2011 – 14:22 PST) DreamHost CEO released a Security Update blog post on the official DreamHost blog.
Simon Anderson, DreamHost CEO, says,
“our systems have stored and used encrypted passwords for a number of years, however the hacker found a legacy pool of unencrypted FTP/shell passwords in a database table that we had not previously deleted. We’ve now confirmed that there are no more legacy unencrypted passwords in our systems. And we’re investigating further measures to ensure security of passwords including when a customer requests their password by email (this was not the issue here, though).”
Sucuri is unclear of the impact from the breached passwords at this time, but we’ll update as we get more information about the incident.
If you’re interested in learning about your website security health, run a free scan with Sucuri SiteCheck, hopefully you’re green across the board.
Simon Anderson, DreamHost CEO, says, “our systems have stored and used encrypted passwords for a number of years, however the hacker found a legacy pool of unencrypted FTP/shell passwords in a database table that we had not previously deleted. We’ve now confirmed that there are no more legacy unencrypted passwords in our systems. And we’re investigating further measures to ensure security of passwords including when a customer requests their password by email (this was not the issue here, though).”
Oh, and you can read that and his post here: http://blog.dreamhost.com/2012/01/21/security-update/
The post was updated with this info. Thanks!
I read on a security blog that the DreamHost security breach was due to SSH Password attacks using domain name elements as userid. SSH logs were showing access attempts utilising elements of the reverse DNS name of the IP address being accessed. For example using isc.sans.org results in the userids isc, sans and org. This may be cause a number of hosting providers use the domain name itself as the userid for shell access for customers.
Great site here!
I found something that might interest a lot of you here. Use this promo code
SAVEHUGE50 to get $50 off your hosting bill with DreamHost.